Saturday, 28 November 2009

It’s the beginning of the festive season, and it's also been an exceptionally busy week, with my usual DPA work being augmented by two drinks receptions and two launches. And one of those events has spawned an idea that might make my fortune. Well, someone’s fortune, anyway.

Before I turn to that idea, I ought to point out that one of the receptions I attended this week was a real challenge if you were dyslexic. It was held in a building that was hosting a slightly different reception on the concourse above, and members of both groups spent sometime rather wistfully wondering if they should have been mingling with the other lot. The event I attended was signed “ICO reception”, and the star guest was the new Information Commissioner, Christopher Graham. Just above and behind us, party guests were attending an event signed “IOC reception”, where the star guest was the Princess Royal. We appeared to be enjoying our food and drink to a much nosier extent that that crowd upstairs, so every now and again disapproving glances were sent in our direction. We didn’t care, though. Hardly any of that lot appeared fit enough to actually participate in the Olympics – I think they must have been the Olympic accounts teams, or something. They were eating a lot of pies. But if you wanted to mingle with real royalty, rather than DPA royalty, you had (literally) to be above us rather than on our level.

Both launches I attended this week were significant. Stewart Room’s book on “Data Security : Law & Practice” (attended by Lords, Ladies and the great and the good of the data protection world at the offices of Field Fisher Waterhouse) should give us all some very useful indicators as to the possible direction of regulatory travel. Designed for the professional, I do hope that it's going to be a very useful place for me to start from to locate that reference to that thing that’s on the back of my mind. It ought to be an essential piece of kit for everyone who regularly attends data protection events. The second launch, in the River Room at the Millbank Tower, by the Tate Gallery, was for the ICO’s new plain English guide to data protection, this time a more down-to-earth look at the principles of the Act, using practical business-based examples. It’s the sort of publication designed for those who don’t usually attend ICO or data protection events, but who still ought to know a bit about the legislation.

But my mind was most taken this week by another event – this one where I must have been invited to by mistake, as there were hardly any data protection folk there at all. At this particular party, though, a group of extremely highly paid solicitors were laying Wii golf. And this is where I had my idea. Why Wii golf, I thought to myself? Why don’t those good folk a Nintendo develop a Wii DPA game? Surely that would be a best seller.

On the train back home I started to develop a few basic concepts for the game. Were the players to be people fighting to get their Subject Access Rights, or perhaps they were DPA Officers dealing with an ICO Assessment – or trying to register all their processing purposes, etc. Then every now and again we could have a new set of DPA policies suddenly descend upon us all, or a job offer from another company, where we could start again and create a data protection concept from new. Points could be awarded for attending DPA conferences, double points for speaking at these conferences, and triple points for actually saying something new at the conferences. Points could be deducted for each data breach (for which there was an element of corporate responsibility), and they could be won for creating new measures what made it harder for data breaches to occur, but which actually let the business carry on and do some business.

Yes, I thought to myself. A DPA Wii would be a brilliant way of guiding people through the data protection maze. Let me give more thought to the concept. And if it ever hits the streets – watch the date of this posting – as I’ll be demanding my IP rights, if any IP lawyer wants to help me out (on a conditional fee basis, of course).

Saturday, 21 November 2009

I’ve been reflecting recently on what happens to people in public life who have made serious mistakes and attempted to resurrect their careers. And I wasn’t thinking about Lord Jeffrey Archer, or what Jonathan Aitken did with his “simple sword of truth”, either. Nor any other of the current crop of hapless politicians, for that matter.

What started me off was being reminded of the exploits of a British politician from a very different age. My memory was jolted when I saw an old copy of his memoir “To Fall Like Lucifer” for sale in a Crouch End charity shop. I remembered first reading it some 30 years ago. He really had class – and was a true gentleman. Ian Harvey was educated at Fettes College and Oxford University (just like former Prime Minister Tony Blair), a former distinguished army officer, married with 2 children, who turned to politics and by 1958 was a junior Foreign Office Minister.

As Wikipedia tells it, in November 1958, Harvey and a Guardsman from the Coldstream Guards were found in the bushes in St James’s Park; Harvey tried but failed to escape, and attempted to give a false name on arrest. Both were charged with gross indecency and breach of the park regulations. The indecency charge was dropped at the trial and both were fined £5. Harvey subsequently resigned his ministerial post and his seat, and paid the guardsman's fine as well as his own.

Then, after a period of a few years, he returned to public life, becoming Chairman of his local Conservative Association and a senior board member of the Inner London Education Authority. He died in 1987.

My thoughts then turned to Bob Quick, the Metropolitan Police’s former Head of Counter-Terrorism, who resigned in April of this year after he had accidentally revealed details of a covert investigation, which forced police to bring forward anti-terror raids. He was photographed by the press outside 10 Downing Street holding documents that were clearly visible marked SECRET.

He was about to brief cabinet ministers on Operation Pathway, spearheaded by MI5 and Special Branch, which was apparently designed to thwart a series of suicide attacks at shopping centres in Manchester over the Easter weekend, dubbed the “Easter spectacular.” The unintended leak, technically a breach of the Official Secrets Act, caused authorities to speed up their timetable, making raids across North-West England.

While the police apparently did manage to arrest all their suspects without much trouble, no bomb factory was found, no evidence leading to indictments was published, and all 12 suspects were subsequently released without charge. That shows what happens when you rush an investigation, I suppose. By allowing sensitive material indicating the existence of a very serious criminal investigation to pass prematurely into the public domain, the chances of a successful set of prosecutions were fatally undermined.

But I don’t expect a proficient copper will be kept down for good. As James Cleverley, Deputy Leader of the London Assembly’s Conservative Group and the Mayor of London's Ambassador for youth, put it in his blog on 9 April, “Bob made a serious mistake and took responsibility for his actions. You don't see that very often these days, do you?”

Having been roundly praised for doing the decent thing and actually resigning, I’m sure it won’t be too long before we see Bob Quick returning to prominent policing or security roles. Or perhaps he’s already working on the 2012 Olympics, and I've just not noticed.

I wonder who will be the next celebrity to fall - but then arise again - after a decent interval.

I’ve just returned from the gym and am still really wound-up with frustration.

Let me explain.

I live in North London and am proud to be a citizen of Crouch End. Until recently, we have had a very benevolent local council (Haringey) who have very kindly allowed us, the mere rate-payers, to use a car park at the rear of the local public library every Saturday so that we can do our local shopping (and use the library). During weekdays, the car park is reserved for local authority workers. But at weekends, for the past 15 years or so, it’s been freely available for anyone to use. This arrangement has not caused any problems with council workers, as they don’t use those car park spaces on weekends anyway.

So you can imagine my mood change when I arrived at the car park this morning to see a new set of signs by the entrance gates. We ratepayers are now only permitted to use a fraction of the par park, and even then we can only park for 2 hours. That’s not sufficient time for the many Crouchenders like me who first use one of the local gyms and then queue for ages at the check outs in Budgens and Waitrose before we can return to our cars. So we’re annoyed. Really annoyed. In fact, we’re so annoyed that we’re even blogging about it...

The signs at the car park entrance are pretty shamefully worded too. They explain that “Wheel clamps and vehicle removals are in operation”. Parking is not permitted in spaces now reserved for library staff. The clamp fee is £100. The tow fee is £100. Storage charges for these towed vehicles are £30 a day. And all patrons are warned that there could be long delays in unclamping vehicles. Finally I read the statement; “Library staff have no involvement in parking issues and do not call Wing Security to clamp or tow vehicles – for all enquiries regarding these matters call the number above”.

Pathetic.

No prior warning was given that the parking rules were to be changed. Nor is there any explanation for this radical change of policy. Nor are there any contact details for those responsible for this matter. All we locals can do is vent our frustration at the security contractors who are are hardly going to be sympathetic as they likely to benefit financially as a result of this new policy. A lot of people were caught unawares and are very angry.

We can all live with situations where we are given fair warning that the rules are about to be changed, as we can then plan ahead and make other arrangements. But, when no warning at all is given about an abrupt change in strategy that costs victims a possible penalty of £230, it really does erode the confidence I have (or had) in my local council.

Saturday, 14 November 2009

Has the Ministry of Justice embarked on yet another attempt to undermine the Information Commissioner’s Office?

That was the first thought that came into my head when I read the “consultation document” the MoJ has recently rushed out on setting the maximum penalty the Commissioner will be able to impose for serious breaches of data protection principles.

To be brutally honest though, it’s not really a proper consultation document. Those awfully clever mandarins at the MoJ have managed to publish something which has 22 pages. But, it really is a dead cert to win the annual “Don’t tell him, Pike” award (sponsored by the BBC's "Dad's Army programme) for the crassest attempt to provide as little evidence as possible from which consultees can base their views.

What would an uneducated reader learn from the consultation document itself? Hardly anything. The proposal is set out (on page 8) in 123 words. The background to the issue is sketched out in 198 words, while the “evidence” on which views are sought is covered (on pages 8 and 9) in just 190 words. And that’s it. There’s nothing else to read, really. Blink and you’ve missed it.

The real evidence – and the really interesting stuff, is tucked away elsewhere, about which there is just one single reference in the entire consultation document, This is the "Impact Assessment", which is 33 pages in length and contains some very interesting assumptions about just how the Information Commissioner’s Office would really use the powers it was given.

In a nutshell, the MoJ mandarins have worked out what the Information Commissioner might do if he were able to award maximum fines of £50,000, £500,000 or £2.5million per offence. If the maximum fine were to be just £50,000, then 12 data controllers would be in for the chop each year. If the maximum fine were to be raised to £500,000, then just 8 data controllers would be up before the beak. But, if the maximum fine were to be a whopping 2.5 million, only 6 data controllers would need to stiffen themselves for a whacking every year. These assumptions appear on pages 4,6 and 8 of the analysis.

Somewhat confusingly, page 17 of the analysis reports that the ICO estimates that monetary penalties are imposed approximately 25 times each year for serious contraventions. I can only explain the difference in these statistics by assuming that this larger figure refers to court fines, rather than the new penalties that are being discussed in this consultation document.

The bean counters have also done their sums in anticipation of the income that would be generated from those caught in the firing line. Should the maximum penalty be £50,000, the working presumption is that each of the 12 will be fined £25,000 (raising some £300,000). If the maximum fine were to be £500,000, the 8 unfortunates will be fined £100,000 (raising £800,000). Finally, if the maximum fine were to be £2.5 million, the 6 miscreants will be fined £1 million (raising £6 million).

In 2009 there were about 319,000 data controllers registered on the public register of data controllers. So if they all behave alike, they can’t each expect to get caught that often. If the maximum fine were to be set at £500,000 then they might expect their own £100,000 fine to be levied once every 39,875 years. So if I were a data controller’s accountant, I would suggest that they set aside £2.50 each year for the “ICO statutory fine” pot.

And what would the benefits be to society? It’s been assessed that if the maximum fine were £50,000 or £500,000, then controllers would take additional precautions that would result in 4 serious data breaches being prevented every year. And if the maximum fine were to be increased to £2.5 million, then the additional controls might ensure that 6 serious data breaches would be prevented every year. These really are the assumptions that appear on pages 4,5 and 7 of the analysis.

That does not appear (to me) to be much of a deterrent. Nor, is it assessed (by me), will it have much of an impact.

Custodial sentences, on the other hand, might concentrate the minds of some of the more reckless data controllers. But that's my view - not the stated views of any of the MoJ mandarins, as far as I have been able to glean from the two MoJ documents I've referred to in this blog.

I was interested to understand whether the MoJ felt that larger companies would feel more motivated to improve their data protection standards if larger fines were likely. After all, the Financial Services Authority is able (and willing) to fine banks and other financial institutions millions of pounds for inadequate security controls, yet it appears that the ICO is not to be allowed to aware similar fines when data controllers allow other breaches to occur. It's not at all clear why the protection of someone's financial information is apparently more important than the protection of their “sensitive” personal information about matters such as their health, sexuality, religious views, political persuasions or criminal background.

And I’m still none the wiser.

So, what messages should the reader be picking up from the MoJ, as it strives to find a slogan that most adequately sets out its aspirations? Having recently re-read (bits of) Jonathan Swift’s “Gulliver’s Travels”, I think it’s fair to assume that, as power is steadily devolved from Westminster to the “People’s Republic of Wilmslow”, visitors to that new land should expect to be greeted by natives who are as friendly as those who lived in Lilliput, rather than as fearsome as the gigantic beasts that Gulliver encountered during his later voyage to Brobdingnag.

Friday, 13 November 2009

Am I writing this blog simply to promote me as the sage of all data protection wisdom? Or to stimulate debate on issues I get passionate about? A bit of both, really. So, I thought, before I go off the rails and get ignored by just about everyone I know (or knew), I had better create a dozen simple rules to follow as I blog. Feel free to let me know when I overstep these marks.

1 Tell the truth.

2 Write short blogs.

3 Publish them regularly.

4 Focus on a single issue for each blog.

5 Respect everything supplied in confidence.

6 Stick to what I know (or what I think I know).

7 Use plain language, not technical gobbledegook.

8 Make serious, as well as trivial, points in each blog.

9 Develop my own ideas, in my own time, using my own equipment.

10 Change the text when I write something that causes unnecessary offence or embarrassment.

11 Credit everyone I plagiarise.

12 Try to look on the brighter side of life. (I think I sense a song coming on...)

On Wednesday, in London, I paid my respects to those who had sacrificed their lives defending the realm, by visiting the Cenotaph in Whitehall and reflecting on the wreaths that had recently been laid there by those who are so much braver than me.

Also on Wednesday, my work colleagues gathered around me to sing “Happy Birthday”, and I was presented with the book token I had been hoping to get which enabled me to pop out and exchange it for a copy of the first edition of “The Defence of the Realm: the authorized history of MI5” by Christopher Andrew. Covering 100 years (and 1,000 pages), it’s an account that I can’t wait to delve into. And to complete my birthday celebrations, yesterday Jonathan Evans, the Director General of MI5, very kindly signed it for me!

This morning, I woke to hear Evan Davies questioning the Prime Minister on Radio 4 on the Government’s strategy in Afghanistan, where lives continue to be lost as our servicemen seek to further protect our country.

These events have helped reinforce the point that some of what I do (at work) really matters. I remain absolutely convinced that communications records should be available to those who are on the front line, and to those whose role it is to support those who are on the front line, in the fight against terrorism and in defence of national security.

But this does not automatically mean that communications records should also be available to those who just want to see whether I’ve been voting each week for my favourite X Factor contestant. My preferences as to whether I want Stacey Soloman, the Jedward twins or Olly Murs to win really ought to be just a private matter between me and Simon Cowell.

For the record, however, I recon it’s a shoo-in for Olly.

Despite raising it in a somewhat flippant manner in this blog, I do appreciate it is actually an extremely serious question, and one which I’ll reflect and report back on later.

Wednesday, 11 November 2009

For the past couple of days, journalists have been trying to decipher the signals that have emerged from the Home Office about the fate of its proposals to “protect the public in a changing communications environment”.

Earlier on in the year the story appeared to be that some outfit called the “Interception Modernisation Programme” had been created to devise ever more ingenious ways of requiring the retention of records relating to phone, text, email and internet communications. This was to ensure that the law enforcement community could continue their vital role in preventing and detecting crime. In April, when the Home Office’s much awaited consultation paper was published, the big story was that whatever was going to happen, it would not include a gigantic central database, where all these records would be carefully stored. “The Register” was the runnaway winner in the “name-that-database” competition: “Wacky Jacquie’s Uberdatabase” was born” – in honour of the then Home Secretary Jacquie Smith.

The trouble was that the consultation paper didn’t give much else away as to any options that remained on the table. Comments were invited on any ideas as to what to do in place of the central database. Where was “Plan B”?

A couple of days ago, the Home Office published its summary of responses to the consultation paper – amid so much confusion that some commentators reported that all of the proposals had been shelved, while others warned that the plans were merely to be delayed. Shami Chakrabarti of “Liberty” called for “A bold alliance of phone companies who fear losing public trust and concerned citizens to come together in opposition to these plans”. (London Metro, 10 November)

The last person to lead the alliance against "Wacky Jacquie’s Uberdatabase" was Richard Thomas, the then Information Commissioner. Richard has done more to raise awareness about the significance of protecting personal information, and at the same time to focus public attention on the need to publish information our public officials would like hidden away, than all of his predecessors put together. Funnily enough, and despite victories that parliamentarians will rue for decades, he wasn't knighted when his term of office ended. Surely some mistake?

So what’s the truth about the IMP? And how should I know? Have those awfully clever members of the Interception Modernisation Programme really been told to pack up their pencils and head back to their other jobs? In the words of the disciples who implored their brave leader in the musical (and film) Jesus Christ Superstar, “What’s the buzz – tell me what’s a happening....”

Well, as Gerry Adams once said of the Provisional IRA, "They've not gone away you know."

And how do I know? Yesterday, I accompanied a well dressed (and frightfully well mannered) bunch of telecoms oiks to a Central London location to learn from the authors of the consultation document just what they thought the Government meant when it published its summary of responses. These Home Office officials were (almost certainly) the same bunch that wrote the original consultation document, so I’m confident they know what they are talking about.

The telecoms oiks who accompanied me to this meeting comprise what can only be described as a very junior telecoms equivalent to the Advisory Council on the Misuse of Drugs. They are a bunch of experts from various providers, all of whom give freely of their time to give honest advice on what is technically feasible on their networks. They are all trusted individuals who are sworn to secrecy. But,they have in the past found it really hard to remember what the IMP has told them in confidence, and therefore must not be shared with anyone who doesn’t know the golden password, and what the IMP has told everyone else in public, and therefore can be discussed in polite company.

Unlike some members of the Advisory Council on the Misuse of Drugs, these telecoms oiks continue to attend meetings convened by the IMP even if they appear to disagree with Government policy. A few have left the group over the years – but that’s because they’ve been made redundant from their respective companies. I’m certain that such redundancies have had nothing to do with their differences of views on the issues the IMP has ever wanted to discuss.

I won’t give away the location of the last meeting in case that’s protected by the golden password. Suffice to say, it’s in Westminster. You have to enter a building up one small flight of stairs, and nod to a doorkeeper to your left, whispering “IMP” just loud enough for him to hear. You then get pointed to an unmarked door under the stairs, which you enter, turn sharp right and are faced with a locked door which has a window. If the next doorkeeper likes the look of you, you are let in and relieved of your electronic equipment. Your credentials are checked, then you are issued with a coloured pass, and you then wait for a grown up with a differently coloured pass to carefully escort you out the door you had just entered, across the corridor, through another locked door and down the special staircase to the special conference rooms below. You are then warmly greeted by people who you’ve met before (and on lots of occasions) but who seem to have arrived at these special conference rooms via another route. To get out, you need to leave a few minutes earlier than you would do in any other type of office building. But that’s another story.

So, what’s the buzz?

The view from the “Provisional” wing of the IMP is that “Doing nothing in the face of challenges from rapidly changing technology was not an option”. (See page 23 of the Summary of Responses)

The view from the “Real” wing of the IMP is that “The Government will continue to develop the approach it proposed in the consultation document with a view to bringing forward the necessary legislation”. And, “The Government will also continue to work closely with communications service providers to ensure that any additional requirements will be feasible and reasonable, and to minimise, as far as possible, any impact on the industry”. (See page 16 of the Summary of Responses)

So, its clear. Something will be done. Dunno what, though.

And nor do they.

Watch this space.

So let’s see who joins Shami and her colleagues in forming “A bold alliance of phone companies who fear losing public trust and concerned citizens to come together in opposition to these plans”.

And in our spare time, please we can all search for Richard's lost knighthood.

Saturday, 7 November 2009

I’ve been giving some thought recently about the role I ought to play should a data breach occur. Is it appropriate for me to throw myself forward, take full control and keep the contents of the Information Commissioner’s guidance on data breach management all to myself? Or should I assume the role of a coach, pointing those involved in the breach to the various corporate policies that (ought to) exist and ensure that they accept accountability for the consequences of any mishaps that had corrupted their own processes?

This question was prompted by a very thoughtful article which appeared in the Times online edition a few days ago, on 5 November. The journalist Philip Delves Broughton was reflecting on the development of a social revolution in Japan. He described the revolution as being led by a group of as many as 40 per cent of all Japanese men currently aged between 21 and 34. This new generation believe that life is far more important than work. They don’t accept that their fate is to suffer silently in Japan’s vast corporations and bureaucracies. Work should occupy a discreet rather than overwhelming place in their lives. Family and friends matter far more than shopping or travel. They reject the culture of the macho Japanese salarymen. They do not believe companies will look after them. They do not respect job titles or hierarchies, only those who control resources and produce obvious outputs. They abhor office politics and do not respond to traditional motivational tools such as promotion, pay rises and the promise of job security.

Strong, revolutionary stuff. I reflected on whether many of my friends refuse to dress or behave like older employees in their respective workplaces. I wondered how many of them just believed that at work and in life, doing OK is OK. That there was no need to show everyone how much effort you’re making. Friends who challenged the conventional models of success. Friends who could honestly say “All I want to feel is that my work has a sense of purpose".

And yes, there are a few. And, growing in number.

So, back to the point. Just what role should I play should a data breach occur?

My cunning plan is to ensure that the breach handling process that I should have helped create works just as well in practice as it did in theory. It’s going to be to ensure that those who were responsible share the pain. And it’s going to be to ensure that the pain is sufficiently harsh to encourage effective steps to be put in place to prevent such mishaps occurring in future. My cunning plan is unlikely to include me cancelling any (much needed) holidays, or working 20 hours a day, grabbing a few hours sleep in the hotel nearest to the office, grazing on pizzas and peanuts, or living on my nerves until all the fuss has completely died down. My cunning plan is to design a breach handling process that engages all the relevant people in the business, not to adopt a set of behaviours which signify a personal infatuation and obsession about me, to the exclusion of everyone else. My cunning plan ought not reflect the ruthless pursuit of my own gratification, dominance and ambition.

Yes, it’s going to be a bit of “tough love”. Some people may see it as an uncaring approach. But that’s not the case. If I am not personally accountable for the business process that have failed, then it’s not necessarily going to be “my” mess. And I don’t want to develop a reputation as someone who simply sorts out other people’s mess. Instead, I want to be seen as someone who helps them put their own house back in order. That way, they may feel grateful for my support, but also quietly glad that they were empowered to resolve the situation for themselves.

I hope that I’ll always be on hand to assist with the external PR work, to throw myself at the mercy of the Commissioner’s confessional chamber, and to let all those affected know that we’ll be treating any incident with the utmost gravity. And I hope that I’ll try and stop the greedy few from demanding compensation for innocent mistakes that have not caused them any real harm, perhaps by ensuring they know that those responsible will be making charitable donations to atone for their actions.

But above all else, I expect that I’ll want my colleagues to share the full horror of the incident - because if they don’t, then they may never appreciate just how personally betrayed an innocent victim of a data breach might actually feel.

Friday, 6 November 2009

According to my dictionary, an "ode" is "a lyric poem marked by lofty feeling and dignified style". So the following bit of doggerel is not an ode. But it is (somewhat) respectfully written - in homage to Google’s new “Dashboard” control panel, which enables people to more easily access and adjust their own privacy settings. The Dashboard was launched a couple of days ago, at a Data Protection conference in Madrid on 4 November.

I also (very) respectfully pay tribute both to Alma Whitten, Google’s software engineer for privacy & safety, while immitating the style (and using many of the phrases) of Julia W Howe who, during the American Civil War, wrote the original verses of the "Battle Hymn of the Republic" in single evening at the Willard Hotel, Washington DC, on 18 November 1861. That's almost exactly 148 years ago.

This blog was crafted during the course of a single evening, too. And it shows.

I hope Alma won't be offended. I certainly don't mean to offend her. I met Alma last week at the Demos event in Bradford (which sparked my 2 November blog) and really enjoyed her easy manner, professionalism and deep commitment to fairness and transparency. She's one of Google's shining stars!

Mine eyes have seen the glory of the coming of the Board;It’s a simple way of knowing how your preferences are stored;And soon it will be winning every privacy award;It’s truth is marching on.Glory! Glory! It's the Dashboard! Glory! Glory! It's the Dashboard!Glory! Glory! It's the Dashboard! The truth is marching on.

I've heard Alma speaking softly to a hundred data champsThey have builded her a platform for the evening dews and damps;I can view her presentations by the dim and flaring lamps;Her day is marching on.Glory! Glory! It's the Dashboard! Glory! Glory! It's the Dashboard!Glory! Glory! It's the Dashboard! Her day is marching on.

I have read a fiery press release which really makes you feel“You journalists are ignorant and just don’t get the deal”;Let the Hero, born a woman, crush the serpent with her heel,Since Alma’s marching on.Glory! Glory! It's the Dashboard! Glory! Glory! It's the Dashboard!Glory! Glory! It's the Dashboard! Since Google's marching on.

Alma's helped to build a Dashboard where the picture is complete;She is sorting out the hearts of men before they start to tweet;Oh, with self control, now plead with her: Come photograph my street;Our Alma’s marching on.Glory! Glory! It's the Dashboard! Glory! Glory! It's the Dashboard!Glory! Glory! It's the Dashboard! And Google marches on.

In the beauty of the lilies she was born across the sea,With a glory in her bosom that transfigures you and me:As she works to make men useful, let us work to make men free;While Alma marches on.Glory! Glory! It's the Dashboard! Glory! Glory! It's the Dashboard!Glory! Glory! It's the Dashboard! While Google marches on.

She is coming like the glory of the morning on the wave,She is wisdom to the mighty, She is honour to the brave;I will start to use her Dashboard if you promise to behave,As Alma marches on.Glory! Glory! It's the Dashboard! Glory! Glory! It's the Dashboard!Glory! Glory! It's the Dashboard! Yes, Google marches on.

Thursday, 5 November 2009

Those awfully clever Burghers at the European Commission have proposed changes to the data protection rules that prevent us from ever sleepwalking into a surveillance society again. Instead, the sleepwalk could turn into a sprint.

All this might come about because of the implications of a compromise agreement the European Parliament is about to nod through about a package of measures relating to telecommunications. Specifically, it appears that Member States are now expected to do things that will enable those nasty “illegal peer to peer” file sharers to be identified and dealt with.

I ought to declare an interest at this stage, as I was among the group of people who were involved in creating the original communications data retention rules back in the early 1990s. At that time, we tried to develop an easy way of distinguishing “call traffic” records, which were supposed to be retained for law enforcement purposes, and “content” records, which were really private as they revealed what was actually said, or communicated, between the various parties.

It is this rule that requires, say, a mobile network provider to retain records that reveal that “A” sent “B” a text message at a certain time, and that a certain cell site was used to transmit or receive the call. And it is this rule that requires that mobile network provider to delete the actual contents of the text as soon as it has been delivered. So no-one knows how poorly spelt our texts really are (other than the recipient).

Similarly, in an internet environment, it is this rule that requires an ISP to retain web activity logs that just relate to “communications data” and not the content of the communication. The Home Office helpfully explained this (in a Code of Practice on the Voluntary Retention of Communications Data back in March 2003) as information only up to the first slash of a web address. So, the ISP could be required to retain web activity logs reflecting that at a certain time someone clicked on the www.russianbabes.com website, but no further details. So, the ISP would not be allowed to keep details of just which Russian Babe that person had been chatting to. Yippee - their right to privacy had been respected.

And Parliament has formally approved this distinction between IP traffic and content data too - by the coming into force of the Retention of Communications Data (Code of Practice) Order 2003 (also known as SI 2003 No 3175). So, someone will have to get Parliament to change its mind through a potentially messy parliamentary procedure if the official view about what ISPs are to be allowed to retain is to change.

But, as I noted at the start of this blog entry, the European Commission is just about to require Member States to do things that will enable those nasty “illegal peer to peer” file sharers to be identified and dealt with. Surely that means that these data retention rules are going to have to be revisited. It appears that ISPs are to be expected to identify the naughty boys and girls when asked by the men in suits who protect the digital rights of people such as Elton John, Lilly Allen and James Blunt, etc. How else is an ISP expected to know which person has accessed a specific URL, if it is only permitted to retain information to the level of the domain server?

Presumably, the only way the new scheme can be made to work is for the ISP to be forced to keep logs of all the URLs visited by a user over a period, say, of a year.

And I would cringe if this information were ever to get into the wrong hands. We all had a good smirk when we learnt about the adult films that were apparently viewed by a former Home Secretary’s husband. How much wider could the smirk on our faces get if it were to be revealed that an internet account paid for by a politician had been used to access the really naughty pages of particularly embarrassing sites. Impossible? Don’t you believe it. There’s nothing like a juicy morsel like that to get the journalists waving their cheque books around.

And, given the consolidation going around the ISP community right now, what engineer might not be tempted to inflate his potential redundancy payment with records that might well be worth many times the amount his (soon to be) former employer might be planning to give him?

In his lecture to the Centre for Policy Studies on freedom and surveillance on 15 July, Damien Green MP the Shadow Minister for Immigration, spoke about fears that we are living in a policing-led state: “Police needs are driving policy in this area with no sense of balance between the legitimate demands of the police and the need to preserve the freedom and privacy of the citizen.”

He was worried about the way the Regulation of Investigatory Powers Act 2000 (an Act that sets out which public bodies can access communications data) was being used by authorities other than the police: “The use of what were meant as powers to be used against serious criminals and terrorists helps destroy confidence in public bodies. If we are all suspects, then none of us will help the authorities. That way lies the atomisation of society.”

And he finished his lecture with a warning: “The bigger the capacity to collect and share information, the greater danger there is to privacy, and therefore to freedom. It is time for the freedom fighters of the world to fight back against the controlling state."

So let’s see how the Tories respond to this apparent attack on privacy.

Wednesday, 4 November 2009

The anoraks among us will have noted that my last blog contained a piece of information that could have been more precise.

I reported that “some” 15,694 Statutory Instruments had been nodded through Parliament since the last General Election. Have I counted them all? No, not individually. But I don’t actually know if anyone else has counted them all either. In fact, where can you go to get an accurate answer?

I’m quite confident that 135 Public Acts received Royal Assent between May 2005 and yesterday, as the Office of Public Sector Information helpfully appends a new “Chapter Number” to each Act as the Royal Signature is appended to the legislation. So I was able to refer to their website and learn that the Appropriation (No. 3) Act 2005 c.21 received Royal Assent on 20th July 2005, while the Parliamentary Standards Act 2009 c.13 received Royal Asent on 21 July 2009.

But Statutory Instruments are different beasts. Each SI is allocated a different number. But. like my sock drawer, some are missing from the final list. So they are either “secret SIs” or they’ve somehow gone AWOL between being initially allocated and completing their passage through Parliament. But I couldn’t be bothered to count them all individually. Instead, I started at the first SI to be passed since that election, “The Health and Safety at Work etc. Act 1974 (Application to Environmentally Hazardous Substances) (Amendment) Regulations 2005, SI 1308". This was made on 9th May, laid before Parlament on 12th May and came into force on 3 June 2005.

And I finished with “The A3(M) Motorway (Junction 5, Carriageways) (Temporary Prohibition of Traffic) Order 2009, SI 2901". This was made on 26th October and came into force on 31st October 2009.

Bored yet? I am. So I’ll wait for someone else to explain where a researcher can go to learn just how many Statutory Instruments do make their way onto the statute books.

Tuesday, 3 November 2009

Last week, on 29 October, the European Commission announced that it had moved to the second phase of an infringement proceeding over the UK to provide its citizens with the full protection of EU rules on privacy and personal data protection when using electronic communications.

Apparently, there is a gap in the law. The Regulation of Investigatory Powers Act 2000 (RIPA) authorises interception of communications not only where the persons concerned have consented to interception but also when the person intercepting the communications has ‘reasonable grounds for believing’ that consent to do so has been given. However, the “EU Data Protection Burghers” have declared that these provisions do not comply with EU rules which define consent as “freely given specific and informed indication of a person’s wishes”.

Unless a satisfactory response is received, the UK may be referred to the European Court of Justice.

What a load of rubbish. When was the last time that the British Government really observed such a narrow definition of “consent”?

I thought I would test this definition by comparing the legislation that has been nodded through Parliament with the commitments made to the electorate in the Labour Party’s last manifesto, published in April 2005, which set out their programme should they win the General Election in May 2005. If we have to live within the confines of our “privacy policies”, then perhaps so ought they.

But a 112 page pocket size booklet is a lot harder to read than most of the privacy policies out there.

What did it say about the Europe and the new Constitutional Treaty? Oh yes - page 84 explains that “It strengthens the voice of national parliaments and governments in EU affairs. It is a good treaty for Britain and for the new Europe. We will put it to the British people in a referendum and campaign whole-heartedly for a “Yes” vote to keep Britain a leading nation in Europe”.

And we all know what happened to that commitment. It was ignored.

Perhaps the Conservatives realised that they didn’t really stand a chance of winning, which is why their manifesto was only 29 pages long. Not much point in issuing a detailed explanation of promises you know you aren’t going to be expected to keep. Their "privacy policy" was much more succinct. At the very bottom of the last page (page 29) they proclaimed that “Within the first day, we will set a date for the referendum on the European Constitution, in which we will campaign for a “no” vote".

And we all know what happened to that commitment. Today, after the leader of the Czech Republic had signed the treaty, the commitment was annulled.

I then decided that there was more to life than looking at political manifestos, and will await the publication of a learned article from a political scientist who has looked more closely at the 135 Acts and some 15,694 Statutory Instruments that have appeared since May 2005. How many of these were anticipated in the Labour Party’s manifesto? And, to what extent has the consent of the British electorate been “fairly obtained” in all of those cases?

But my point is a serious one. Why should these “Burghers” be allowed raise the bar so high in creating a concept of “consent” if they so blissfully ignore similar standards when national politicians seek a mandate to rule us more generally?

If the EU thinks it’s on a winning streak by criticising our RIPA provisions, then it’s going to have its work cut out should it ever be invited to examine some of the other pieces of legislation that Parliament has recently nodded through.

Monday, 2 November 2009

Why have a lie-in on a Saturday morning in the comfort of your London flat when instead you can be up at the crack of dawn and travel with Demos Researchers Peter Bradwell, Dan Leighton and Max Wind-Cowie up to Bradford to help out their “People’s Enquiry” into Personal Information? Well, I fell for that argument, and was really glad that I did.

Having previously addressed the group that had met at the Demos HQ in London on Wednesday 28th October, I was ready to speak to a group of people that I expected to be engaged, dispassionate, keen to ask probing questions, and very accepting of the fact that others should feel free to express views that were quite different to their own. And I was not disappointed. What a pleasure it was to meet such a friendly bunch who welcomed me into their midst and treated me, a newcomer, to their deliberations with such courtesy and respect.

Returning to Leeds Station later that afternoon, my mood changed from one of elation to one of despair. The main route to the railway station had been sealed off by West Yorkshire Police who were striving to contain a small bunch of mindless thugs, mostly extremists from the English Defence League, who had congregated in Leeds city centre to campaign against what they saw as the perils of Islamic fundamentalism. Opposing them, a few hundred yards away, were a small group of rival demonstrators from Unite Against Fascism. And the police were stuck in the middle, trying both to record the scenes on film and also to gently remind the crowd of onlookers (who greatly numbered either group of demonstrators) not to encourage the thugs to partake in any more acts of mindless vandalism.

Just what sort of society are we living in? The police were trying their hardest to be professional and dispassionate, and to reduce the tension that was evidently in the air. At the same time, they were being required to respect the rights of a bunch of bigots who were screaming messages of hate and intolerance to anyone who would listen, and who were threatening violence to anyone they could get close enough to lay their hands on.

So, I have a message for Peter, Dan and Max. Next Saturday, as you travel to Bradford for the next session of the “People’s Enquiry”, don’t bother travelling much past Leeds Railway station. The pleasant, thoughtful and considerate group that meets in Bradford doesn’t really need your assistance. They can do the work very well by themselves. It’s that small group of fascist thugs you really need to turn your attention to, many of whom were barely out of their teens. Why should they be afforded police protection to enable them to spread their vile message, when what they so desperately need is to be educated in the ways of expressing different ideas and values in an atmosphere of mutual tolerance and respect?

About Me

I'm Martin Hoskins, and I started this blog to offer somewhat of an irreverent approach to data protection issues. As time has passed, the tone of my posts have become more serious.
I'm not a "high priest" of data protection. I focus on the principles of transparency, fairness, practicality, risk-assessment and pragmatism when dealing with issues, rather than applying every aspect of every data protection rule.
While I may occasionally appear to criticise various organisations with which I am or have been associated, I write here in an entirely personal capacity, so these comments should never be taken to represent anyone else's views on what I write about.
I occasionally tweet as @DataProtector.
You can contact me at:
info@martinhoskins.com.